New IETF I-D: Security Implications of IPv6 on IPv4 networks
Folks, We've published a new IETF I-D entitled Security Implications of IPv6 on IPv4 networks. The I-D is available at: http://www.ietf.org/id/draft-gont-opsec-ipv6-implications-on-ipv4-nets-00.txt The Abstract of the I-D is: cut here This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on IPv4-only networks, and describes possible mitigations for the aforementioned issues. cut here Any feedback will be very welcome. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
risk bearing/calculation for security service provider
Hi, I have some questions related to the security service that security SP offers. Is it common for SP to include risk related calculation into the security service (in contract/SLA) they offer? The question or problem might arise when some incident happened even the customer got secure hosting service from security SP. The customer might complain that SP doesn't protect them well and ask for some penalty in this case. So how does SP protect themselves in this case? Is there any best practice for that? thanks a lot, Ganbold
Partial Outage with TW Telecom and CenturyLink
Morning Everyone, Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching various sites through TW Telecom from our circuit in Orlando, FL. The unavailable sites included Facebook, Newegg, and Godaddy. The outage did not affect our Atlanta TW Telecom. I confered with a colleague who manages a large customer in Apopka who said that they appeared not to be affected. His circuit and ours loop to the same TW Telecom POP. But even more Murphy than that, our Centurylink secondary circuit was having a routing loop issue at the same time, so while our BGP routes were being advertised to world through Centurylink, the circuit was useless. Centurylink aknowledged the existence of a bigger transport issue and said that we weren't the only customer affected. Anybody else notice these issues or have any other insight? Thanks! Eric Miller
Re: Host scanning in IPv6 Networks
On 20 April 2012 17:16, Owen DeLong o...@delong.com wrote: exec ? exceed ? Not a lot of x's in hexidecimal numbers outside of C-style formatting (0x). IPv6 addresses are not generally notated in said style and certainly don't include said x in a suitable context for that to be part of a dictionary attack. However, he also left out the common use of 7(t), 6/9(g), 1/7(I/L/T), 2(Z), 5(S), and 0(O). c is also often substituted for k (as in face:b00c). Owen Sorry. I did a quick filter of the openoffice dictionary file. seems that I made a ugly mistake :-/ postdata: I have made a [0-9] to [aeioutnshrdlcmwf] conversor. http://jsbin.com/ibepup/ This convert a decimal number into a hexadecimal number not using the [0-9A-F] table, but the [aeioutnshrdlcmwf] table. The aeioutnshrdlcmwf table may allow a big number of numbers have a existing word of expression. postdata2: Using this conversor, 123442553445523 is the word NaouuScuch. -- -- ℱin del ℳensaje.
Re: Partial Outage with TW Telecom and CenturyLink
CenturyLink is reporting core routing issues at this time. Seeing the same issues with our DS-3, BGP stayed up, but traffic was not passing over the line. Had to manually shutdown the interface to get traffic flowing over our other providers link. What a mess. On 4/24/2012 8:22 AM, Eric C. Miller wrote: Morning Everyone, Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching various sites through TW Telecom from our circuit in Orlando, FL. The unavailable sites included Facebook, Newegg, and Godaddy. The outage did not affect our Atlanta TW Telecom. I confered with a colleague who manages a large customer in Apopka who said that they appeared not to be affected. His circuit and ours loop to the same TW Telecom POP. But even more Murphy than that, our Centurylink secondary circuit was having a routing loop issue at the same time, so while our BGP routes were being advertised to world through Centurylink, the circuit was useless. Centurylink aknowledged the existence of a bigger transport issue and said that we weren't the only customer affected. Anybody else notice these issues or have any other insight? Thanks! Eric Miller -- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com
Re: Partial Outage with TW Telecom and CenturyLink
this belongs on outages@ no? On Tue, Apr 24, 2012 at 12:14 PM, Chris Gotstein ch...@uplogon.com wrote: CenturyLink is reporting core routing issues at this time. Seeing the same issues with our DS-3, BGP stayed up, but traffic was not passing over the line. Had to manually shutdown the interface to get traffic flowing over our other providers link. What a mess. On 4/24/2012 8:22 AM, Eric C. Miller wrote: Morning Everyone, Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching various sites through TW Telecom from our circuit in Orlando, FL. The unavailable sites included Facebook, Newegg, and Godaddy. The outage did not affect our Atlanta TW Telecom. I confered with a colleague who manages a large customer in Apopka who said that they appeared not to be affected. His circuit and ours loop to the same TW Telecom POP. But even more Murphy than that, our Centurylink secondary circuit was having a routing loop issue at the same time, so while our BGP routes were being advertised to world through Centurylink, the circuit was useless. Centurylink aknowledged the existence of a bigger transport issue and said that we weren't the only customer affected. Anybody else notice these issues or have any other insight? Thanks! Eric Miller -- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com
Re: Partial Outage with TW Telecom and CenturyLink
Yesterday at about 3 pm PDT DNS resolution problems were experienced through Centurylink. Apparently their Phoenix DNS servers were unreachable for some time. These types of incidents never happened with Qwest. Anyone else report a service degradation since Centurylink took over? On Tue, Apr 24, 2012 at 6:22 AM, Eric C. Miller e...@ericheather.comwrote: Morning Everyone, Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching various sites through TW Telecom from our circuit in Orlando, FL. The unavailable sites included Facebook, Newegg, and Godaddy. The outage did not affect our Atlanta TW Telecom. I confered with a colleague who manages a large customer in Apopka who said that they appeared not to be affected. His circuit and ours loop to the same TW Telecom POP. But even more Murphy than that, our Centurylink secondary circuit was having a routing loop issue at the same time, so while our BGP routes were being advertised to world through Centurylink, the circuit was useless. Centurylink aknowledged the existence of a bigger transport issue and said that we weren't the only customer affected. Anybody else notice these issues or have any other insight? Thanks! Eric Miller
Re: Partial Outage with TW Telecom and CenturyLink
Already on outages. On 4/24/2012 11:28 AM, Christopher Morrow wrote: this belongs on outages@ no? On Tue, Apr 24, 2012 at 12:14 PM, Chris Gotsteinch...@uplogon.com wrote: CenturyLink is reporting core routing issues at this time. Seeing the same issues with our DS-3, BGP stayed up, but traffic was not passing over the line. Had to manually shutdown the interface to get traffic flowing over our other providers link. What a mess. On 4/24/2012 8:22 AM, Eric C. Miller wrote: Morning Everyone, Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching various sites through TW Telecom from our circuit in Orlando, FL. The unavailable sites included Facebook, Newegg, and Godaddy. The outage did not affect our Atlanta TW Telecom. I confered with a colleague who manages a large customer in Apopka who said that they appeared not to be affected. His circuit and ours loop to the same TW Telecom POP. But even more Murphy than that, our Centurylink secondary circuit was having a routing loop issue at the same time, so while our BGP routes were being advertised to world through Centurylink, the circuit was useless. Centurylink aknowledged the existence of a bigger transport issue and said that we weren't the only customer affected. Anybody else notice these issues or have any other insight? Thanks! Eric Miller -- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com -- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com
Re: Partial Outage with TW Telecom and CenturyLink
Where is this outages list? On Apr 24, 2012, at 10:36 AM, Chris Gotstein wrote: Already on outages. On 4/24/2012 11:28 AM, Christopher Morrow wrote: this belongs on outages@ no? On Tue, Apr 24, 2012 at 12:14 PM, Chris Gotsteinch...@uplogon.com wrote: CenturyLink is reporting core routing issues at this time. Seeing the same issues with our DS-3, BGP stayed up, but traffic was not passing over the line. Had to manually shutdown the interface to get traffic flowing over our other providers link. What a mess. On 4/24/2012 8:22 AM, Eric C. Miller wrote: Morning Everyone, Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching various sites through TW Telecom from our circuit in Orlando, FL. The unavailable sites included Facebook, Newegg, and Godaddy. The outage did not affect our Atlanta TW Telecom. I confered with a colleague who manages a large customer in Apopka who said that they appeared not to be affected. His circuit and ours loop to the same TW Telecom POP. But even more Murphy than that, our Centurylink secondary circuit was having a routing loop issue at the same time, so while our BGP routes were being advertised to world through Centurylink, the circuit was useless. Centurylink aknowledged the existence of a bigger transport issue and said that we weren't the only customer affected. Anybody else notice these issues or have any other insight? Thanks! Eric Miller -- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com -- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com
Re: Partial Outage with TW Telecom and CenturyLink
We have a ticket open with Level3. Our customers on the the west coast using CenturyLink are not receiving traffic. -Bret On Apr 24, 2012, at 10:35 AM, david peahi wrote: Yesterday at about 3 pm PDT DNS resolution problems were experienced through Centurylink. Apparently their Phoenix DNS servers were unreachable for some time. These types of incidents never happened with Qwest. Anyone else report a service degradation since Centurylink took over? On Tue, Apr 24, 2012 at 6:22 AM, Eric C. Miller e...@ericheather.comwrote: Morning Everyone, Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching various sites through TW Telecom from our circuit in Orlando, FL. The unavailable sites included Facebook, Newegg, and Godaddy. The outage did not affect our Atlanta TW Telecom. I confered with a colleague who manages a large customer in Apopka who said that they appeared not to be affected. His circuit and ours loop to the same TW Telecom POP. But even more Murphy than that, our Centurylink secondary circuit was having a routing loop issue at the same time, so while our BGP routes were being advertised to world through Centurylink, the circuit was useless. Centurylink aknowledged the existence of a bigger transport issue and said that we weren't the only customer affected. Anybody else notice these issues or have any other insight? Thanks! Eric Miller
Re: Partial Outage with TW Telecom and CenturyLink
On 4/24/12 9:37 AM, Bret Palsson wrote: Where is this outages list? https://puck.nether.net/mailman/listinfo/outages ~Seth
IPv6 dark traffic collection restarted
Hi, In 2010, and again in 2011, I ran an experiment to examine the dark traffic in IPv6. I did this by announcing the superblock 2400::/12 which has been allocated to APNIC for its IPv6 allocations. The superblock announcement is an aggregate and will not disrupt any IPv6 traffic - the packets that will head to this dark traffic collector were on their way to /dev/null in any case. We are about to run this experiment up again to collect a 2012 data profile for IPv6 dark traffic in 2012. Accordingly, 2400::/12 will be announced by AS3562 - please don't filter it! IPv6 packets are scarce enough already! :-) This time around we are being assisted by Sandia National Laboratories and ESnet, for which APNIC would like to acknowledge their assistance in this ongoing research activity. Some URLs: - ESnet news item is at: http://www.es.net/services/ipv6-network/esnet-supports-sandia-and-apnic-ipv6-background-radiation-research/ - LOA for the announcement: http://www.sandia.gov/apnic/authorization.pdf - Previous re[port: http://www.potaroo.net/ispcol/2010-07/dark6.pdf thanks, Geoff
Re: IPv6 dark traffic collection restarted
Dear Geoff; On Tue, Apr 24, 2012 at 12:41 PM, Geoff Huston g...@apnic.net wrote: Hi, In 2010, and again in 2011, I ran an experiment to examine the dark traffic in IPv6. I did this by announcing the superblock 2400::/12 which has been allocated to APNIC for its IPv6 allocations. The superblock announcement is an aggregate and will not disrupt any IPv6 traffic - the packets that will head to this dark traffic collector were on their way to /dev/null in any case. We are about to run this experiment up again to collect a 2012 data profile for IPv6 dark traffic in 2012. Accordingly, 2400::/12 will be announced by AS3562 - please don't filter it! IPv6 packets are scarce enough already! :-) As the IPv6 UDP Checksum relaxation effort gets instantiated (the draft http://tools.ietf.org/html/draft-ietf-6man-udpchecksums-02 is now in WGLC), could you look at the existence (or lack thereof) of UDP checksums in IPV6 ? It would be good to have some baseline data to see, if these become a problem in the future, what the state was before they were adopted. Regards Marshall This time around we are being assisted by Sandia National Laboratories and ESnet, for which APNIC would like to acknowledge their assistance in this ongoing research activity. Some URLs: - ESnet news item is at: http://www.es.net/services/ipv6-network/esnet-supports-sandia-and-apnic-ipv6-background-radiation-research/ - LOA for the announcement: http://www.sandia.gov/apnic/authorization.pdf - Previous re[port: http://www.potaroo.net/ispcol/2010-07/dark6.pdf thanks, Geoff
Squeezing IPs out of ARIN
Anyone have any tips for getting IPs from ARIN? For an end-user allocation they are requesting that we provide customer names for existing allocations, which is information that will take a while to obtain. They are insisting that this is standard process and something that everyone does when requesting IPs. Has anyone actually had to do this?
Re: Squeezing IPs out of ARIN
On Tue, Apr 24, 2012 at 10:32 AM, ad...@thecpaneladmin.com wrote: Anyone have any tips for getting IPs from ARIN? For an end-user allocation they are requesting that we provide customer names for existing allocations, which is information that will take a while to obtain. They are insisting that this is standard process and something that everyone does when requesting IPs. Has anyone actually had to do this? Indeed. It's worked this way for a long time. When starting a new organization, there's a bit of a chicken and egg problem with IP space. If anyone could get IP space just for asking for it, it would have been consumed too quickly. So, organizations must first get some space assigned to them from an upstream provider and begin using it. At some point the current usage and growth rate of the assigned space will justify a direct allocation. Then, you can renumber into your new space and be totally independent. Cheers, jof
Re: Squeezing IPs out of ARIN
On Tue, 24 Apr 2012, ad...@thecpaneladmin.com wrote: Anyone have any tips for getting IPs from ARIN? For an end-user allocation they are requesting that we provide customer names for existing allocations, which is information that will take a while to obtain. They are insisting that this is standard process and something that everyone does when requesting IPs. Has anyone actually had to do this? Now that we're getting down to the bottom of the IPv4 barrel, the amount of documentation and justification needed to get v4 addresses from the RIRs has increased. Expect any v4 requests to be scrutinized closely. This is not news, and at this point, it should not come as a surprise to anyone. IPv6 address blocks are pretty easy to get ;) jms
Re: Squeezing IPs out of ARIN
On Apr 24, 2012, at 10:47 AM, Jonathan Lassoff wrote: On Tue, Apr 24, 2012 at 10:32 AM, ad...@thecpaneladmin.com wrote: Anyone have any tips for getting IPs from ARIN? For an end-user allocation they are requesting that we provide customer names for existing allocations, which is information that will take a while to obtain. They are insisting that this is standard process and something that everyone does when requesting IPs. Has anyone actually had to do this? Indeed. It's worked this way for a long time. When starting a new organization, there's a bit of a chicken and egg problem with IP space. If anyone could get IP space just for asking for it, it would have been consumed too quickly. So, organizations must first get some space assigned to them from an upstream provider and begin using it. At some point the current usage and growth rate of the assigned space will justify a direct allocation. Then, you can renumber into your new space and be totally independent. Cheers, jof That's not entirely true. What you say applies to one possible way for an ISP to get an allocation. It does not apply at all to end-users. Owen
Re: Squeezing IPs out of ARIN
On Tue, 24 Apr 2012 ad...@thecpaneladmin.com wrote: Anyone have any tips for getting IPs from ARIN? For an end-user allocation they are requesting that we provide customer names for existing allocations, which is information that will take a while to obtain. They are insisting that this is standard process and something that everyone does when requesting IPs. Has anyone actually had to do this? If you can't [easily] tell ARIN who's using your current IP space, then you're probably not doing a very good job of managing that space, which begs the question, do you really need more? -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Squeezing IPs out of ARIN
On Tue, Apr 24, 2012 at 11:14 AM, Owen DeLong o...@delong.com wrote: That's not entirely true. What you say applies to one possible way for an ISP to get an allocation. It does not apply at all to end-users. Even for end-user allocations, they would still need to fulfill the requirements of 4.3.3 in the ARIN NRPM (https://www.arin.net/policy/nrpm.html#four33), no? I suppose for immediate need assignments, this can be short circuited, but from what I know those are pretty rare. Am I missing something? Cheers, jof
Re: Squeezing IPs out of ARIN
On 24-Apr-12 12:32, ad...@thecpaneladmin.com wrote: Anyone have any tips for getting IPs from ARIN? For an end-user allocation they are requesting that we provide customer names for existing allocations, which is information that will take a while to obtain. There are no end-user allocations. Allocations go to ISPs; assignments go to end-users. Which are you? From the sound of it, you're an ISP requesting an allocation, and ARIN is requesting documentation of the assignments you've made to end users from your previous allocation(s) to verify you really need more--as required by community policy. If you're doing an even marginally competent job of managing your previous allocation(s), this data should be readily available in /some/ form, and providing it to ARIN should require little more effort than pinging your lawyers to verify the appropriate NDA is in place. If you're /not/ doing a marginally competent job of managing your previous allocation(s), you're not going to get more until you learn to do a better job of it. In my experience, going through that learning experience will uncover a lot of unused space that will likely make your current request moot (for now). And that's a big part of the point. They are insisting that this is standard process and something that everyone does when requesting IPs. Has anyone actually had to do this? Everyone /should/ be required to provide documentation of justification for all requests to any RIR. If you're aware of anyone who /hasn't/, let us know so we can beat up the RIR in question. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: Squeezing IPs out of ARIN
On Apr 24, 2012, at 11:38 AM, Jonathan Lassoff wrote: On Tue, Apr 24, 2012 at 11:14 AM, Owen DeLong o...@delong.com wrote: That's not entirely true. What you say applies to one possible way for an ISP to get an allocation. It does not apply at all to end-users. Even for end-user allocations, they would still need to fulfill the requirements of 4.3.3 in the ARIN NRPM (https://www.arin.net/policy/nrpm.html#four33), no? Yes, but, that utilization can be documented need for X hosts to be numbered in an initial deployment, it does not have to be X existing hosts numbered from some other set of resources. It can also be made up of hosts numbered from RFC-1918 space which now need globally unique addresses for whatever reason. I suppose for immediate need assignments, this can be short circuited, but from what I know those are pretty rare. Not all that rare, but, yes, relatively rare. Am I missing something? I'm not sure. I know that I have no trouble getting appropriate sized assignments for my end-user clients with appropriate justification of their needs without them necessarily having existing space from ARIN or any other entity. I know that the ARIN process can, on occasion be tricky to navigate if you don't understand the subtleties of how some of the terminology is defined and that people often use terms which have very specific meanings to ARIN staff members to have a much broader meaning in what they are intending to say. I know that often leads to misunderstandings which make the process even more difficult. Owen
Re: Squeezing IPs out of ARIN
On 4/24/12, ad...@thecpaneladmin.com ad...@thecpaneladmin.com wrote: Anyone have any tips for getting IPs from ARIN? For an end-user allocation they are requesting that we provide customer names for existing allocations, which is information that will take a while to obtain. They are insisting that this is standard process and something that everyone does when requesting IPs. Has anyone actually had to do this? First, distinguish whether you're looking for an ISP allocation or an end-user assignment. If you're an end user then you're not allocating IP addresses to customers. I know you think you are, but trust me: you're not. You're assigning a block of addresses to 20 servers in the computer room and a block of addresses to 50 PCs on the LAN, and so forth. Where you claim servers connected to the Internet, expect to provide a list of current IPs or URLs which you claim will be moved onto the new addresses. You don't plan to use NAT anywhere because real IP addresses are better. Right? And if you have a customer at site B then you're doing the same thing at site B: X servers here, Y desktops there. Not at customer B, at _your site_ B. Also, you're multihoming. You already requested and received an ASN and you've provided a copy of bills from two different Internet vendors both listing your business name and location. Because if you're not multihoming then you have to have many many more computers. So many computers, in fact, that you'd have to be crazy not to multihome. If you're an ISP, the rules are a little different. A few of your addresses will be specified as above but most will be listed as assigned to Customer XYZ, address, name, phone number. Expect to provide customer name, address, contact name, contact email and phone number. If you don't wanna, you don't get to play at national registry level. Go get IPs from your upstream. For your largest customer assignments, expect to also present some basic documentation of their use in the same form as above: 50 PCs on the LAN, 20 servers in the computer room, etc. Because that's what the customer gave you to justify receiving those addresses. Pursuant to ARIN policy which as an ISP you follow. Right? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
10GBASE-LR SFP+ in Reston, VA
Greetings, Anyone know how I can get my hands on a SFP-10G-LR in the Reston area, tonight? -- Brandon Ewing(nicot...@warningg.com) pgpNKYqgh1uad.pgp Description: PGP signature
Re: 10GBASE-LR SFP+ in Reston, VA
not at this hour..Do you have a good relationship with your Cisco rep, assuming you have one? They might have one in their lab they could spot you...their lab is in Herndon. On Tue, Apr 24, 2012 at 6:15 PM, Brandon Ewing nicot...@warningg.comwrote: Greetings, Anyone know how I can get my hands on a SFP-10G-LR in the Reston area, tonight? -- Brandon Ewing( nicot...@warningg.com) -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy
Juniper MX expert?
Any Juniper MX experts out there want to do some quick consulting for me (not for free)? I am working on implementing a couple of MX5 routers in a service provider setting, and have run into some issues. I am pretty proficient at the SRX and EX lines, but not as much with the MX. As the particulars of the issues go a little deeper than I feel comfortable asking for free help for, I will leave out the details on the list. Please contact me off list if you are willing and able to give me a hand. thanks, -Randy
Re: Squeezing IPs out of ARIN
On 4/24/2012 2:00 PM, Owen DeLong wrote: I know that the ARIN process can, on occasion be tricky to navigate if you don't understand the subtleties of how some of the terminology is defined and that people often use terms which have very specific meanings to ARIN staff members to have a much broader meaning in what they are intending to say. I know that often leads to misunderstandings which make the process even more difficult. Yeah. Let's not forget that if you have 120 management devices (wifi backhaul/switches/waps) and a ton of customers with /32 assignments and you are renumbering from provider assigned space you gathered over many years into your own initial ARIN assignment, they want: 1. equipment type and info for each management device 2. customer info for each /32 assignment Tell me what ISP can legally and ethically give out their customer base information? Don't get me wrong. I'm sure small guys don't think twice about it, accumulating all the information and handing it over to ARIN thinking they have no choice (the responses from ARIN leaves one with that impression; you want the address space, you WILL give us this). I sometimes wonder what happens to that information; if it sits around in an archive somewhere in the vast digital repositories of ARIN awaiting someone to steal it. Jack